🔴  Summary: Researchers from DEVCORE have disclosed a critical remote code execution (RCE) vulnerability in PHP, tracked as CVE-2024-4577, which affects almost all versions of PHP on Windows (initially it was reported to affect versions 5.x and earlier). This vulnerability could put millions of servers worldwide at risk.

🔍 Vulnerability Details:

This vulnerability utilizes the Best-Fit function in Windows encoding conversion, allowing attackers to bypass protections implemented in the solution for CVE-2012-1823 by using specific character sequences, executing arbitrary code through an argument injection attack.

• Discovery date: May 7, 2024
• Patch release date: June 6, 2024
• Impact: Allows unauthenticated attackers to execute arbitrary code on affected PHP servers, gaining full control over them.

🌐 Global Impact: Detected on Windows systems with specific regional settings:

• Traditional Chinese (Code Page 950)
• Simplified Chinese (Code Page 936)
• Japanese (Code Page 932)
• ¿Other lenguages?: While not clearly defined, according to the DEVCORE article, other locales should not be ruled out as vulnerable and should be considered potentially at risk.
• Other locales may also be vulnerable depending on PHP usage scenarios.

🛡️ Affected Versions and Products:

• According to DEVCORE:
  • PHP 8.3 < 8.3.8
  • PHP 8.2 < 8.2.20
  • PHP 8.1 < 8.1.29
  • PHP 8.0, PHP 7, PHP 5 End-of-Life are thus vulnerable by default (see mitigation measures for these cases).
  • ALL XAMPP are vulnerable..

⚠️ Recommended Action:

• Update: trongly recommended to update to PHP versions 8.3.8, 8.2.20, and 8.1.29.
• For users who CANNOT update PHP: There is a code mitigation in the mod_rewrite rule provided by DEVCORE, but it must be evaluated if certain requirements are met, as it only applies in specific scenarios for now.
• For XAMPP users: Some parameters in the http server need to be changed, which must also be evaluated.

The general recommendation is to stay alert for updates on this CVE as it reveals several possible vectors depending on the scenarios and deployments that are not yet fully defined.

More info:

• Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability
• POC by watchTowr
• Tenable Blog
• Imperva Protects Against Critical PHP Vulnerability CVE-2024-4577
• New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

At Quasar Cybersecurity, we are already developing potential solutions for a wide range of scenarios. If you have any questions about the possible impact on your infrastructure, please do not hesitate to contact us.